Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / c287389fcaaee4083906517a1a6c5f0c0454a9c7 / . / README.rst
blob: f4ab65c99587e2329ba2a948059655037ca97a63 [file] [log] [blame]
Felipe Monteiroc4589322017-06-09 19:42:50 +0100[diff] [blame]1========================
2Team and repository tags
3========================
4
shangxiaobj11b02322017-08-14 22:45:11 -0700[diff] [blame]5.. image:: https://governance.openstack.org/tc/badges/patrole.svg
6 :target: https://governance.openstack.org/tc/reference/tags/index.html
Felipe Monteiroc4589322017-06-09 19:42:50 +0100[diff] [blame]7
Felipe Monteiroc4589322017-06-09 19:42:50 +0100[diff] [blame]8Patrole - RBAC Integration Tempest Plugin
9=========================================
DavidPurcell663aedf2017-01-03 10:01:14 -0500[diff] [blame]10
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]11Patrole is a security validation tool for verifying that Role-Based Access
12Control is correctly configured and enforced in a system. It runs Tempest-based
13API tests using specified RBAC roles, thus allowing deployments to verify that
14only intended roles have access to those APIs.
DavidPurcell663aedf2017-01-03 10:01:14 -0500[diff] [blame]15
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]16Patrole currently offers testing for the following OpenStack services: Nova,
17Neutron, Glance, Cinder and Keystone.
DavidPurcell663aedf2017-01-03 10:01:14 -0500[diff] [blame]18
Felipe Monteiroc2873892017-11-15 06:09:02 +0000[diff] [blame^]19Patrole is currently undergoing heavy development. As more projects move
20toward policy in code, Patrole will align its testing with the appropriate
21documentation.
22
23Design Principles
24-----------------
25
26Patrole borrows some design principles from Tempest, but not all, as its
27testing scope is confined to policies.
28
29* *Stability*. Patrole uses OpenStack public interfaces. Tests in Patrole
30 should only touch public OpenStack APIs.
31* *Atomicity*. Patrole tests should be atomic: they should test policies in
32 isolation. Unlike Tempest, a Patrole test strives to only call a single
33 endpoint at a time.
34* *Holistic coverage*. Patrole strives for complete coverage of the OpenStack
35 API. Additionally, Patrole strives to test the API-to-policy mapping
36 contained in each project's policy in code documentation.
37* *Self-contained*. Patrole should attempt to clean up after itself; whenever
38 possible we should tear down resources when done.
39
40 .. note::
41
42 Patrole modifies roles dynamically in the background, which affects
43 pre-provisioned credentials. Work is currently underway to clean up
44 modifications made to pre-provisioned credentials.
45
46* *Self-tested*. Patrole should be self-tested.
47
DavidPurcell663aedf2017-01-03 10:01:14 -0500[diff] [blame]48Features
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]49--------
50* Validation of default policy definitions located in policy.json files.
51* Validation of in-code policy definitions.
52* Validation of custom policy file definitions that override default policy
53 definitions.
54* Built-in positive and negative testing. Positive and negative testing
55 are performed using the same tests and role-switching.
56* Valdation of custom roles as well as default OpenStack roles.
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]57
58.. note::
59
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]60 Patrole does not yet support policy.yaml files, the new file format for
61 policy files in OpenStack.
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]62
63How It Works
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]64------------
65Patrole leverages ``oslo.policy`` (OpenStack's policy enforcement engine) to
66determine whether a given role is allowed to perform a policy action, given a
67specific role and OpenStack service. The output from ``oslo.policy`` (the
68expected result) and the actual result from test execution are compared to
69each other: if both results match, then the test passes; else it fails.
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]70
gaozx268b71d2017-07-20 21:35:35 -0400[diff] [blame]71* Documentation: https://docs.openstack.org/patrole/latest/
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]72* Bugs: https://bugs.launchpad.net/patrole
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]73
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]74Quickstart
Felipe Monteiro7c7b5702017-07-21 01:43:42 +0100[diff] [blame]75----------
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]76Tempest is a prerequisite for running Patrole. If you do not have Tempest
77installed, please reference the official Tempest documentation for guidance.
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]78
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]79Assuming Tempest is installed, the simplest way to configure Patrole is:
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]80
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]811. Open up the ``tempest.conf`` configuration file and include the following
82settings:
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]83
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]84.. code-block:: ini
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]85
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]86 [rbac]
87 enable_rbac = True
88 rbac_test_role = admin
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]89
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]90These settings tell Patrole to run RBAC tests using the "admin" role (which
91is the default admin role in OpenStack) to verify the default policy
92definitions used by OpenStack services. Specifying a different role
93for ``rbac_test_role`` will run Patrole tests against that role. For additional
94information about Patrole's configuration settings, please refer to
95:ref:`patrole-configuration` and :ref:`patrole-sampleconf` for a sample
96configuration file.
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]97
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]982. You are now ready to run Patrole. To do so, you can use any testr-based test
99runner::
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]100
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]101 $ testr run patrole_tempest_plugin.tests.api
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]102
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]103or::
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]104
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]105 $ ostestr --regex '(?!.*\[.*\bslow\b.*\])(^patrole_tempest_plugin\.tests\.api)'
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]106
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]107It is also possible to run Patrole using tox::
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]108
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]109 tox -eall-plugin -- patrole_tempest_plugin.tests.api
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]110
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]111Release Versioning
Felipe Monteiro7c7b5702017-07-21 01:43:42 +0100[diff] [blame]112------------------
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]113`Patrole Release Notes <https://docs.openstack.org/releasenotes/patrole/>`_
114shows which changes have been released for each version.
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +0100[diff] [blame]115
Felipe Monteiro780210d2017-07-17 22:21:53 +0100[diff] [blame]116Patrole's release versioning follows Tempest's conventions. Like Tempest,
117Patrole is branchless and uses versioning instead.